# =============================================================================
# CLOUDFLARE TUNNEL
# =============================================================================

# Création du tunnel Cloudflare
resource "cloudflare_zero_trust_tunnel_cloudflared" "home_tunnel" {
  account_id = local.cloudflare_account_id
  name       = var.tunnel_name
  config_src = "cloudflare"
}

# Récupération du token pour l'agent cloudflared
data "cloudflare_zero_trust_tunnel_cloudflared_token" "home_tunnel_token" {
  account_id = local.cloudflare_account_id
  tunnel_id  = cloudflare_zero_trust_tunnel_cloudflared.home_tunnel.id
}

#
resource "cloudflare_zero_trust_tunnel_cloudflared_route" "home_tunnel_route" {
  account_id = local.cloudflare_account_id
  network    = var.tunnel_network
  tunnel_id  = cloudflare_zero_trust_tunnel_cloudflared.home_tunnel.id
  comment    = var.tunnel_network_comment
}

#
#data "cloudflare_zero_trust_tunnel_cloudflared_route" "home_tunnel_route_token" {
#  account_id = "699d98642c564d2e855e9661899b7252"
#  route_id = cloudflare_zero_trust_tunnel_cloudflared_route.home_tunnel_route.id
#}

# =============================================================================
# DNS RECORDS (un par application)
# =============================================================================

resource "cloudflare_dns_record" "applications" {
  for_each = var.applications

  zone_id = local.cloudflare_zone_id
  name    = each.value.subdomain
  content = "${cloudflare_zero_trust_tunnel_cloudflared.home_tunnel.id}.cfargotunnel.com"
  type    = "CNAME"
  ttl     = var.dns_ttl
  proxied = var.dns_proxied
  comment = "Managed by Terraform - ${each.key} via Cloudflare Tunnel"
}

# =============================================================================
# TUNNEL CONFIGURATION
# =============================================================================

resource "cloudflare_zero_trust_tunnel_cloudflared_config" "home_tunnel_config" {
  tunnel_id  = cloudflare_zero_trust_tunnel_cloudflared.home_tunnel.id
  account_id = local.cloudflare_account_id
  
  config = {
    warp_routing = {
      enabled = var.tunnel_warp_routing_enabled
    }
    
    ingress = local.ingress_rules
  }

  lifecycle {
    # Ignorer les changements manuels dans Cloudflare Dashboard
    ignore_changes = [config]
  }
}

# =============================================================================
# ACCESS POLICIES (optionnel)
# =============================================================================

# Exemple de politique d'accès réutilisable
# Décommentez si vous souhaitez utiliser Cloudflare Access
/*
resource "cloudflare_zero_trust_access_policy" "allow_emails" {
  account_id = local.cloudflare_account_id
  name       = "Allow specific emails"
  decision   = "allow"
  
  include = [
    {
      email = {
        email = local.cloudflare_email
      }
    },
    {
      email_domain = {
        domain = var.cloudflare_zone
      }
    }
  ]
}

# Application Access pour chaque application qui l'exige
resource "cloudflare_zero_trust_access_application" "applications" {
  for_each = {
    for app_name, app_config in var.applications : 
    app_name => app_config 
    if app_config.access_enabled
  }

  account_id = local.cloudflare_account_id
  type       = "self_hosted"
  name       = "Access for ${each.key}"
  domain     = "${each.value.subdomain}.${var.cloudflare_zone}"
  
  policies = [
    cloudflare_zero_trust_access_policy.allow_emails.id
  ]
}
*/